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15 September =°8¢ 


MEMORANDUM FOR: Director of Data Processing 
VIA: Inspector General el 


FROM: aoe 2 eNINTE 
Chief, Audit Staff 


SUBJECT: Audit of Office of Tata Processing 


1. The Audit Staff has scheduled an andit of the Office 
of Data Processing for the period 1 July 1978 to 30 Septeéiber 
1980. The audit will cover compliance of activity with appli- 
cable laws, policies and regulations; effectiveness and erfi- 
ciency of operations; and financial aid logistical records a4 
procedures, 


2. The audit is scheduled to besin approximately 
¥ 6 October 1980. The target date for -onpletion is early 
December 1980. The audit team will consist of five or six 
members of the Information Systems Audit Division. Michael 
McGraw will be the supervising auditor. We will request 2 
meeting with you prior to the start of the audit. 


3. Please indicate your concurr:-nce by signing and 
returning the original of this memorandum. STATINTL 


STATINTL 


Ly 
CONCUR: ne 
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Directoy of Data Pro cessing _ Date 


Distribution: 
Tig. - Signature § Return 
1 - Addressee 
1 - 0/Compt/BMG 
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Report of Audit of Office of Data Processing 


as of 30 June 1978 — 


SESBRNS CREE AUDIT STAFF ODP 
a RECOMMENDATION FESPONSE 
C/MS #1: Present ODP’s minicomputer The ODP plan was a new initia 
support plan to the EAG for its tive to procure four minicom- 
consideration within the frame- piters in FY-80 and obta:n five 
work of the annual review as FY-80 personnel slots for 1ini- 
directed in the DDCI memorandum Computer support. Tne pu w2s 
cited above. rejected by senior Agency 
Tonagement during the FY- 3. 
rt :doet review process. in ee 
co: the five staff personne 
were to provide Agency-w. de: 
t ethnical support of ces yo, 
acquisition and maintenance: 
© ADP minicomputers. The other 
t#7o staff personnel were <> 
greovide systems programnun 
<ipport to the four minicasputers 
eid were to undertake p!.anriing 
20d design work for dist.:1 uied 
computing. The present '))” 
pian is to include minicrmourers 
in the ODP budget in sup oo -t of 
user reuuirements whenever 
t+ 32 requirements have Dbe3n 
iqyentified prior to the .3 Ta- 
tation of a FY Program orf suuget. 
Foeguirements identified at er 
Frooram and Budget formula-ion 
will have to be funded ivou the 
user's budget or process3?a as 


4 unfunded reguirement. 


Ay 


"oe known miniccmputer plais 
:oguiring ODP support that 
vill be presented to «he EAG 
ior review, as Girected in the 
LOCI memorandum citec in fara. 
2 of the Audit Report, é#re an 
YG minicomputer application 
.1@ possibly the GIMINI g1ro- 
-ct--the latter was <diescribed 
n para. 10 of the Report. 
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AUDIT STAFF 


RESPONSIBLE 
_OFFICER RECOMMENDATION 
C/MS #1: Continued 
DD/P #2: Review and prioritize the 


25X1A 


_DD/P 


1 25X1A 


Agency's emergency ADP require- 
ments and develop a written 
disaster recovery plan that 
adequately provides support in 
the event of a disaster. Also 
provide for a current maintenance 
and periodic testing of the plan 
after development. 


#3: Store system software back- 
up tapes and copies of critical 
Gata bases in the 

BS chives and/or 
exchange copies between the two 
computer centers. ‘The stored 
backup records and programs 
should also be currently main- 
tained and periodically tested 
to determine their operational 
readiness. 


r. 2 
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ODP 
RESPONSE 


O°.P senior management wi... con- 
me in the near future to 
‘view the ODP minicompute.” 
sLicy and make revisions oO 

.e policy where deemed 
ccessary. 


Sorink 


ring FY-79 we will Geveiop 

methodology for determin .ng 
he Agency's emergency Ai? 
-qguirements supported by 

‘xt, we will prepare and 

ut a disester recovery }riaun 
or higher management's eoi- 
ideration. With approval 

ne plan and the allocation 
-cessary resources fOr “9 
-ecution of the plan, 

.-dertake the necessary 
ration to execute the pian 
tuen commence periodic tres: 
eo the plan. 


X9DrHmho AR tH G 


Wes TY 


jr :pan 


Copies of critical produst:on 
Gata sets, GIMS data bas 
(:ncluding GIMS procesur2 
Gictionaries and softwar2 
and all computer programs in 
tne ODP Centralized Library 
Sv’stem are stored in the 


is 
2a 
25, 
2) 


25X1A 
Rechives with the exceptio? of 
caMS information--the stor:ge 
ot CAMS data and software. it 
MMMM will commence by 31 J3°em- 

rr «1978. The offsite stodrag 
critical data and Seo c ue 
is been a long standing 
‘quirement of the Froduction 
yivision. In January 1978, 
-Lorage procedures were Duo" 
ished in the ODP User's Gaide 
Ya section entitled, "“as- 
etic Tape Offsite Storage 
-ocedures." The procediur:s 
saply to all users of the com= 
iter centers and also ceriain 
ne criteria for refresniry 
.aterial stored on maynetic 


ape. 
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RESPONSIBLE AUDIT STAFF , ODP 


_ OFFICER RECOMMENDATION _ _RESPONSE _ 
#3: Continued Exchange copies of selsct2d 


-DD/P 


C/Ms 


-C/MS 


usstem software have been stored 
ir the two computer centers and 
cc a certain extent stored in the 
WU Archives. A procedure to 
store and refresh system scftware 
will be finalized during #¥-79 

i then all system sottware will 
be stored at 


#4: Determine methods for All the areas identified ard sae 
better controls in the areas requiring action have been 
mentioned. Coordinate this reviewed by the ODP/OS Jcirt 

study with the Office of Werking Group. The recently 
Security. et upleted risk analysis sttdy 


:+s0 identified these arees 
ard gave recommendations fcr 
iving the problems. 


™ ree critical areas, the ¢v-03 

point, the GC-47 point, ene 

file labeling, are presertiy 

be ing studied with a acal ct 

si lving these problems ir Iy-/9. 
it is anticipated that the other 
ems identified will le 

ed or approaches reccm-: 

din FY-/9. 


A+] technical security Bs 
uae ntations are cocrdinaied «ith 
1: SG/OS directly or ae the 
oO P/OS Joint Working Group 


#5: Consider converting the The conversion of the part 
current part time administrative t:me position to a full tire 
assistant to a full time position. position is inadequate to 

In addition, formally request sclve the problem. The present 
technical security essistance part time help is sutficlent 
from the Office of Security to for the Security Officer to 
assure proper attention to these remain current on adminis. aiive 
technical security problems. tisks. 


Ar. additicnal position is 

needed to implement a Corjricer 

s curity program as recused 
by the ODP/OS Joint Worker) 
Goup. Rather than change che 
acministrative assistant pisition 


te full time, a full time siior 
s curity officer is needed. 

3 
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RESPONSIBLE AUDIT STAFF 
, OFFICER RECOMMENDATI ON 
~C/MS #5: Continued 


DD/P 


C/MS 


4h 
g 
3 


DD/P 


#6: Use Data Erase to sanitize 
all magnetic tapes that are to 
be used as "scratch" tapes in 
the Special Center. 


#7: Continue to review the need 
for "E" Ruffing Center access 
indicators for non-Center per 
sonnel and expand the usage of 
no escort badges for infrequent 
users. 


#8: Install a remotely con- 
trolled access gate in the 
Ruffing Center point! area to 
limit unchallenged entry to the 
computer room. 


#9: Establish more stringent 
controls over users receipt of 
data from the "point" in the 
Ruffing Center. 


PA Spicony 
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ODP 
RESPONSE 


The ODP plan to obtain vie 
FY-BO personnel siot fur a com~ 
puter security officer wis 
rejected by senior Agency; manage~ 
ment during the FY-80 Xa a:get 
review process. The s2cirity 
otficer was to formulaz2 and 
monitor ODP computer s2ciraity 
policies and plans by analyzing 
current security Ppractic:s, 
assessing vulnerabilities, and 
recomnéending the necessary 
corrective actions. 


The Special Center wiil mple- 
ment a plan on 1 Decerser 1978 
to use Data Erase tc stritize 
all magnetic "scratch" t4pes.- 


Access to the Rufring é1ra 
Special Centers is reviewed 
each October and Marck. On 
each review cycle, 4 ruber of 
"PE" Sndicators are retrécted. 
Use of no escort Seadces hes 
been expanded. 


An access/authorization system 
is presently under cons gera- 
tion that will coniro. .ntry 
into the computer room. on 
the event the proposed system 
is tabled or delayed, cen 
alternative solutions wiii be 
evaluazed. 


The access/authorivatias system 
mentioned in the abov2 ,esponse 
is the most logical and effec- 
tive solution to the stringent 
controls problem. However, 
until its implementati¢n we 
will establish more stringent 
control over users receipt of 
data in the Ruffing Cérier. 


in ee roe ee 
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RESPONSIBLE AUDIT STAFF ODP 

"__OFFICER RECOMMENDATION RESPONSE 

DD/P #10: Provide terminal usage The capability to gathe: tata 
reports to appropriate ODP manage- recessary to prepare such 
ment personnel for monitoring reports has only recently Lecome 
efficiency and security of ter- available to us as the result 
minal usage. of over a year of developrent 
ork. 
»y the end of this calendar 
.ear, we will begin distr..- 
futing a terminal utiliza:ion 
‘eport tc appropriate ODP 
onagement personnel and 
il Agency ADP Control @!:icers 
‘or monitoring efficiency and 
“curity of terminal usar. 

DD/P #11: Complete development and 7 system to control charats to- 
implement procedures to control the GIMS Production softwere 
systems changes. +as implemented on 31 Julr 1978. 

C/MS #12: Continue efforts to update ve are currently studying our 
cost accounting procedures to }Vricing structure and intenc to 
accurately and completely iden- reflect new ADP cost accoi.niting 
tify the current cost of ADP trrocedures in the chances that 
computer systems software. ere mage. Also, in an ©13: ort 

é ©O Turnish more accurate © nior- 

Py pation te our users, in i”? -79 

-@ will separate the charves 
‘or ODP provided start em. 
oentractor support. In #eaic 
ton, we are considering 
wparating the charges io: 
oftware development and 
_roduction processing in mur 
»rojvect Aetivity Reoort. 

C/AS #13: Continue the coordinated “his is in response to 1econ- 
effort with the Office of Logis- nendations 13 and 14. We heve 
tics to jointly solve ODP's completed the following: An 
property accounting problems. OL task force was formed on 
Insure that a complete physical September 1978 and situated 
inventory is conducted in accorce- within ODP. An analysis of 
dance with - Document CODP's property accounting 
any discrepancies revealed as a }yroblems was initiated; decu- 
result of the inventory as pre- nentary deficiencies were icen- 

“ scribed by the regulations. tified; existing properiv 

: -cquisition and dispesal jro 

25X1A 
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AUDIT STAFF 
RESPONS IBLE Aer etek 
| OFFICER _ RECOMMENDATION 
C/AS #14: Take actions required to 

assure recording or Type It 
Property transactions on a 
more timely basis. 

DD/P #15: Determine the present capa- 


bility of EMIS to serve aS a cen- 
tral data base for all hardware 
transactions, both engineering 
and financial. Identify the 
information needs of various com- 
ponents and determine whether 
EMIS can be enhanced to the point 
where it satisfies the needs 
identified. If EMIS is enhanced 
research and verify to supporting 
Gocumentation any missing data. 
Consider recording ODP'’s office 
equipment on the data base in 
addition to currently listed 
major hardware items. 


6 
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cedures and the documen.s 
associeted therewith we e€ 
viewed in detail; pre usin 
work on new property con 
procedures was cons iaeced, 
personnel impact 02 new 
cedures was eassessea; a syStem 
of Boency stock nunsvec3s i 
ODP property to é@ssisl2 en 
controi has been star: 
eiscrepancies in propee 
ments are being corre: 
Found. A computer.zei 
3 
a 


Ua 
fed 
7” 
& 
iad 


of property contro. 
printing Services Div 
being examined for aiudp. 
ODP. ‘Che current te is 
shat the task force wili veguire 
another 180 days to coaviete 

its task, including a ¢om- 

plete wall-to-wall inventory 

of ODP property and the estab- 
lishment of an automated 

control system. 


2. DY 
Sion is 


ton by 


be 


Wherever possible, t 
of the Engineering ™ 
Information System Mar 
(EMIS) will be exysen: 
resources ére Fa 
The present system hes vee 
unger development for tt» 
years. Once all cf EI. 1ne@ering 
Division's needs are si tisfied, 
we will examine its poiential 
use as a Gata base four financial 
transections. 


er eS 


mace avé 
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